The Web    Google
I've Been Framed

I've Been Framed
September 9, 2002

Israeli-based security firm Grey Magic Monday issued a that a new vulnerability discovered in Microsoft's (, ) Internet Explorer (IE) could allow attackers to compromise your computer through a Web site's frames.

All versions of the popular Web browser 5.5 and above are vulnerable to the flaw, as well as any other application that uses IE's engine, such as Outlook and MSN Explorer.

The vulnerability allows an attacker to execute script on any page that contains frame or iframe (inline frame) elements, ignoring any protocol or domain restriction set forth by IE.

By executing script, an attacker could steal cookies from almost any site, access and change content in sites and in most cases also read local files and execute arbitrary programs on the client's machine.

Frames, which are essentially sections of the browser display that are separate Web pages, may contain URLs in other domains or protocols, and therefore have strict security rules, which prevent frames in one domain to access content and information in another.

It is possible, however, to set the frame's URL. Setting the child frame's URL to "javascript:[code]" will execute the script in the context of the currently loaded URL.

In order to capitalize on the vulnerability to access the "My Computer" zone, an attacker would have to find a local file or resource that contains a frame or an iframe. According to GreyMagic, this would be quite an easy task for users of IE version 6, as Microsoft provided such a resource, ironically named "PrivacyPolicy.dlg".

By loading "res://shdoclc.dll/privacypolicy.dlg" and then changing the URL of the frame it contains to the "javascript:[code]" an attacker could read local files and execute arbitrary programs is to.

While "PrivacyPolicy.dlg" isn't shipped in version 5.5, Windows ships with several HTML files, in relatively static locations, that may contain frames. By running a simple scan on such known local files, an attacker could locate appropriate files and use it like "PrivacyPolicy.dlg."

Because a patch from Microsoft is not yet available, GreyMagic is suggesting that user disable Active Scripting, which will adequately address the issue.

Microsoft, who has become notorious for security flaws, is also currently scrambling to find out the cause of an increase in attacks that locks out users, installs backdoor programs, and gives an attacker remote access.

The company's Product Support Services (PSS) Security Team issued a vague bulletin noting the increase in malicious activity that tries to load code on Windows 2000-based servers. This activity is typically associated with a program that has been identified as Backdoor.IRC.Flood.

Microsoft updated it's initial report with its latest theory, that the activity is associated with a coordinated series of individual attempts to compromise Windows 2000-based servers.

Noting that the attacks do not appear to exploit any new product-related security vulnerabilities and do not appear to be viral or worm-like in nature, Microsoft stated that the threat should be addressed by updating standard security protocol, such as eliminating blank or weak administrator passwords, disabling the guest account, running current antivirus software, and using a firewall.

  • 9/9: Trojan.Riler Installs Itself As LSP
  • MFPs ?An Overlooked Security Risk
  • 6/7: Spybot-BZ Copies Itself to Folder
  • 4/18: Mytob-BR Worm Mails Itself Out
  • 4/8: Cabir-J Worm Affects Symbian Phones
  • MyDoom Ends but Open Ports Attracting Mutants
  • 5/2: Doyorg Trojan Arrives Via AOL IM
  • 10/12: Forbot-AZ Worm Has Backdoor
  • Sophos Small-Business Suite Fights Viruses, Spam
  • Bagle-AA Moves Maliciously into 3rd Place
  • Hitachi offers up centralized application security platform
  • Security Camera Companies and products